HumanSignal / label-studio-sdk

Label Studio SDK
https://api.labelstud.io
Apache License 2.0
99 stars 61 forks source link

Connection through. Azure Active Directory #167

Open benoitLebreton-perso opened 11 months ago

benoitLebreton-perso commented 11 months ago

Hello,

We have deployed a labelstudio on Azure AppService and we have configured an Azure Active Directory for security.

Is it possible to use the label-studio-sdk with this configuration ? We need to auth the python-requests session to the Azure AD ? Has anyone managed to do it ?

With the default config, we fail the healthcheck at the check_connection method and my intuition is Azure AD doesn't allow us to http.get(/health) (and it is legit !)

Maybe there is a way to adapt our connection to pass Azure AD ?

benoitLebreton-perso commented 11 months ago

mmmmh maybe using https://github.com/HumanSignal/label-studio-sdk/blob/491471c71a50681ae5eb2972eb7b080f81c7b888/label_studio_sdk/client.py#L69-L70 (I hope it is so simple !)

benoitLebreton-perso commented 11 months ago

It works with extra_headers param :)

image
benoitLebreton-perso commented 11 months ago

Hello again. The Bearer token is enough for a GET /health request or a GET /api/version But for any GET /api/project request it fails

example :

ls = Client(
    url=label_studio_url,
    api_key=label_studio_access_token,
    extra_headers=azure_ad_headers,
)

print(ls.check_connection()). #it works : {'status': 'UP'}

ls.get_projects(). #it does not work

We get the following trace :

requests.exceptions.HTTPError: 401 Client Error: Unauthorized for url: https://labelstudio-web-app.azurewebsites.net/api/projects?page_size=10000000

I notice that the extra_header replace the token... it seems strange to me. My intuition is I cannot use both the Azure AD Bearer Token & the Label-Studio user token. Do you think it is true ?

Hum maybe I cannot use Azure AD this way (we have two authentifications here : azure AD & label-studio) Maybe I need to configure it using : https://docs.humansignal.com/guide/auth_setup and will it replace the label-studio auth ?